My Net Loss Proof SSH Tunnel Commands

/etc/rc.local

sysctl net.ipv4.conf.all.forwarding=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
while true ; do ifconfig tun0 inet 10.0.0.1 netmask 255.255.255.0 pointopoint 10.0.0.2 mtu 1500 up ; sleep 5 ; done &

[common]

S="1.2.3.4"

client

screen -S rssh
sudo ssh -w0:0 "[email protected]$S" 'while true ; do echo `date`-$RANDOM ; sleep 5 ; done'

os x/bsd

screen -S rtun
sudo su -
ifconfig tun0 inet 10.0.0.2 netmask 255.255.255.0 pointopoint 10.0.0.1 mtu 1500 up
R=`netstat -nr | grep -i 'default[ ]*[1-9]' | awk '{ print $2 }'`
route add -host "$S" "$R"
route delete default "$R"
route add default 10.0.0.1
while true ; do c=`ifconfig tun0 2> /dev/null` ; if [ "$c" == "" ] ; then route add default "$R" ; break ; fi ; sleep 5 ; done
My Net Loss Proof SSH Tunnel Commands

Thought This Was Cool (+OpenSSH Config)

Daily NSA Edit: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

and another one! http://prism-break.org

To choose a specific set of ciphers, hashes, and key exchanges for your OpenSSH server:

rm -fv *ec*key*

sshd_config

# Strongest
HostKey        /usr/local/etc/ssh_host_rsa_key
KexAlgorithms  diffie-hellman-group-exchange-sha256
Ciphers        aes256-cbc,aes256-ctr
MACs           hmac-sha2-512,hmac-sha2-256

# Tunneling
TCPKeepAlive     yes
PermitRootLogin  yes
PermitTunnel     point-to-point
Thought This Was Cool (+OpenSSH Config)

A Quick SSH Based VPN Tunnel With Default Gateway Override

sudo su

screen -S server
ssh -o Tunnel=point-to-point -w 0:0 [email protected]
ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1
h=$(dig +search +short "$(cat ~/client.txt)" | grep -i '^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' | head -n 1 | sed -e 's/[0-9]*$/0/g')
g=$(netstat -nr | grep -i '^0.0.0.0.*0.0.0.0' | awk '{ print $2 }')
route add -net "$h" netmask 255.255.255.0 gw "$g"
for s in $(cat ~/servers.txt) ; do echo "[$s]" ; i=$(dig +search +short "$s") ; route add -host "$i" gw 10.0.0.1 ; done
#route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.0.0.1
#route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.0.0.1

screen -S client
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F ; iptables -X ; iptables -t nat -F ; iptables -t nat -X
iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
while true ; do ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 ; sleep 3 ; done

You should change the following references above: infraopslab and em1

while true ; do ping -c 1 google.ca ; if [ $? -ne 0 ] ; then reboot ; fi ; sleep 3 ; done
netstat -nr | grep -Eiv '^(kernel|destination|0.0.0.0.*0.0.0.0|.*0.0.0.0)' | while read l ; do d=`echo "$l" | awk '{ print $1 }'` ; g=`echo "$l" | awk '{ print $2 }'` ; n=`echo "$l" | awk '{ print $3 }'` ; echo "$d $g $n" ; for t in net host ; do route del "-$t" "$d" netmask "$n" gw "$g" > /dev/null 2>&1 ; done ; done
A Quick SSH Based VPN Tunnel With Default Gateway Override

Bash Login Script To Auto Add Your SSH Agent/Key

~/.bashrc

FOLDIR=~/.tmp/sshagent
mkdir -p $FOLDIR/shell > /dev/null 2>&1
. $FOLDIR/shell/cmds.$(hostname -s) > /dev/null 2>&1
sshcheck=$(ssh-add -l 2>&1 | grep -i '^[0-9][0-9][0-9][0-9 ]')
if [ "$sshcheck" == "" ]
then
	mkdir -p $FOLDIR/sock > /dev/null 2>&1
	rm -frv $FOLDIR/sock/agent.$(hostname -s) > /dev/null 2>&1
	killall -9 ssh-agent > /dev/null 2>&1
	ssh-agent -a $FOLDIR/sock/agent.$(hostname -s) > $FOLDIR/shell/cmds.$(hostname -s)
	. $FOLDIR/shell/cmds.$(hostname -s) > /dev/null 2>&1
	ssh-add
fi

Description of the script above (nfs friendly):
* Attempt to run the last ssh-agent export commands and check for valid keys with the ssh-add command
* If nothing exists then kill any current ssh-agent processes and save a new set of ssh-agent export commands
* Run the current set of ssh-agent export commands and add the default ssh key with ssh-add

Bash Login Script To Auto Add Your SSH Agent/Key

Scripting JS Against PHPLDAPAdmin

Just a lame script to find any attributes for a given objectClass which are not used by any other objectClasses:

var a="";
var l=document.getElementsByTagName("tr");
for (var i in l)
{
	try { var m=l[i].getElementsByTagName("a"); }
	catch(e) { var m=[]; }
	if (m.length == 1)
	{
		try { var z=l[i].innerHTML.match(/^.*Used.*by.*objectClasses.*User.*Authorization.*$/); }
		catch(e) { var z=0; }
		if (z)
		{
			var p=l[i].parentNode.getElementsByTagName("tr")[0].getElementsByTagName("a");
			a += ("\""+p[0].innerHTML+"\", ");
		}
	}
}
console.log(a);
Scripting JS Against PHPLDAPAdmin

Some Simple Automation Finally

Yesterday I got to starting a new script which could help Afilias with the automation of adding a new user to all of the systems and services they run here. There are a lot of steps involved and many systems but Python should be able to handle it since it has a great module/library collection. Anyway, sorry for all of the non-tech posts but it’s my first week here and I believe the work is kept private (for internal use only). Once I get more comfortable, I could probably publish some of my work towards any open-source projects if possible. ๐Ÿ™‚

Some Simple Automation Finally

Still Learning! [Continued]

So yesterday I got to editing NIS passwd/group (being deprecated) files so we can add a new user and then used that information to convert it over into LDAP format. I also got into to writing a little bot that attempts to monitor some of our servers by SSH’ing into them and watching some log files and then reporting back to IRC mostly via Python. I’m excited for any new projects that come my way along with reading about new technologies that I’m unfamiliar with! I’m also noticing that some of our ticket processing steps (SOP guided) could use some more automation along with translating some older scripts to a common language in a common place ๐Ÿ™‚

Still Learning! [Continued]

Learning New Concepts!

So yesterday I went through the process of removing/disabling a user from all of the systems/services we use here at Afilias. It’s a multi-step procedure and I could look into automating it a bit more with Python. In addition, I did some reading up on LDAP modify/search via the command line as well as Kerberos *princ commands. I have a lot to learn still but I’m trying my best to catch up ๐Ÿ™‚

Learning New Concepts!

Random Last Minute File Cleanup

Just found a little script I used to rename my music files based on their ID3 tag info.

#!/bin/bash
ls | while read s
do
	i=`exiftool "$s" | sed -e '[email protected][/?]@[email protected]'`
	a=`echo "$i" | grep '^Artist [ ]*:' | sed -e 's/^[^:]*:[ ]*//'`
	t=`echo "$i" | grep '^Title [ ]*:' | sed -e 's/^[^:]*:[ ]*//'`
	n=`echo "$i" | grep '^Track [ ]*:' | sed -e 's/^[^:]*:[ ]*//' -e 's/_.*$//'`
	if [ "$n" == "" ]
	then
		n="0"
	fi
	f=`echo "$i" | grep '^File Type [ ]*:' | sed -e 's/^[^:]*:[ ]*//' -e 's/^.*_//' | tr '[A-Z]' '[a-z]'`
	z="$a - $t - $n.$f"
	if [ "$s" != "$z" ]
	then
		if [ ! -f "$z" ]
		then
			mv -fv "$s" "$z"
		fi
	fi
done
Random Last Minute File Cleanup

Final Seneca Blog Post (But Hopefully Not The Last!)

So my time as a Research Assistant @ Seneca College is coming to an end. It’s been a long time, (over 2 years!), and I’m glad that the higher ups here decided to keep me around for soo long. I’ve learned a lot during my years that I thought I guess I’d share:

* Thank you Seneca College for hiring me!
    * and giving me the freedom to choose my own work/projects/hours
    * and providing paid funding for trips/food/hotels
    * and allowing me to gain experience/contacts/reputation

* Don’t directly modify software which is currently in use
    * Instead submit patches upstream to have your changes made official!

* It’s hard to see instant results when first going to the gym
    * I’m fairly skinny so it didn’t help to begin with ๐Ÿ™‚

* I met my first girl friend randomly at a conference which I had to attend for work purposes
    * Getting up at 4am on the weekend sucked but I got something amazing out of it!

* I used to hate social media services like blogs or twitter but they actually helped make a name for myself
    * Googling my name before returned no results which can be just as bad as negative results…

* Emotion/tone is often lost in online conversation with services like email or IRC
    * So don’t assume others are being mean by default if you’re ever unsure

* Stay calm if you’re arguing with another employee with differing view points
    * Sometimes these view points are more philosophically different rather than technical so it’s harder to convince others or learn from them
    * Keep an open mind set so you can learn new things and/or change your own view points
    * The reason for change may not be immediately clear to you until much later on down the road
    * Be patient when teaching others, regardless of their experience level

I think that’s about it for now, I’ll update this post if I can think of more later,
Thanks again to my friends and Seneca and Chris Tyler/Dawn Mercer for supporting me here,

– Jon Chiappetta

Edit: If you’re like me and you don’t enjoy having your entire life monitored and recorded by the NSA, a good site for app replacements can be found here: https://prism-break.org/

Final Seneca Blog Post (But Hopefully Not The Last!)